From 1c112005fa4e1b4da8ba03f2d301f5647ac39720 Mon Sep 17 00:00:00 2001
From: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
Date: Mon, 20 Oct 2025 11:58:57 -0600
Subject: [PATCH] Don't Attempt to Generate Token Without Valid Token Request

Closes gh-18088

Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com>
---
 .../web/authentication/ott/GenerateOneTimeTokenFilter.java      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java
index 0eefd98a89..6f4788f1fe 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/ott/GenerateOneTimeTokenFilter.java
@@ -68,11 +68,11 @@ public final class GenerateOneTimeTokenFilter extends OncePerRequestFilter {
 			return;
 		}
 		GenerateOneTimeTokenRequest generateRequest = this.requestResolver.resolve(request);
-		OneTimeToken ott = this.tokenService.generate(generateRequest);
 		if (generateRequest == null) {
 			filterChain.doFilter(request, response);
 			return;
 		}
+		OneTimeToken ott = this.tokenService.generate(generateRequest);
 		this.tokenGenerationSuccessHandler.handle(request, response, ott);
 	}